Mixed Mining Arts? UFC Website Removes Malicious Crypto Code

It's the latest large site seen to be running up site visitors CPU to crank out cryptocurrency.

AccessTimeIconNov 7, 2017 at 8:00 p.m. UTC
Updated Sep 13, 2021 at 7:08 a.m. UTC

A subscription streaming site owned by mixed martial-arts powerhouse Ultimate Fighting Championship (UFC) is at the center of the latest controversy around clandestine, browser-based cryptocurrency mining.

Multiple users on social media reported yesterday that code developed by Coinhive – a monero mining script that can be embedded in a web page – was found in the code on the UFC's Fight Pass streaming site. It's unclear at this time where the code was sourced from, and a customer support staffer for UFC told a user that "we take these matters very seriously, and will review this."

“Immediately upon learning of the reported issue, Neulion, UFC’s over-the-top digital service provider, reviewed the UFC.TV/FIGHTPASS site code and did not find any reference to the mentioned Coinhive java script," A UFC spokesperson wrote in a statement to CoinDesk, subsequent to publication. "We are continuing to review the available information and feel confident that there are no coding issues across the site at this time.”

But Reddit users contend they found lines of code for Coinhive's mining script in the HTML for the page, as shown in two different screengrabs shared to Imgur.

The software was also spotted running by several users, included one who later flagged it onon Twitter. After one reddit user emailed UFC support about it, he got a response saying that they were looking into it. The attention that the situation attracted appears to have spurred UFC to action, as the script was ultimately removed, according to another post.

None of the screencaptures on the Internet Archive from yesterday show the script in the source code on UFC.com, but the captures from yesterday were made after these reports started coming out.

The move represents the latest instance in which a well-known site played unwitting host to the Coinhive script, which utilizes a user's computer capacity to mine the privacy-oriented cryptocurrency monero.

Subsequent to publication, Coinhive emailed CoinDesk to say that since none of the screenshots included the site key, it couldn't give any information on how much had been mined or if it had happened. "For what it's worth, we didn't notice any new 'top user' in our internal site wide dashboard. So the miner was either removed quickly again or didn't affect a lot of endusers," the company wrote in a statement. "Just for the record, we have a strict policy against using our service on 'hacked' sites and will terminate accounts that violate our terms of service, as soon as we're notified of them."

A streaming service run by Showtime previously found Coinhive code running on its sites, and web security firm Cloudflare has expressed its intent to crack down on sites that add mining software to sites without first notifying users.

This story has been updated with comment from Coinhive and UFC.

Correction: A previous version of this article inaccurately stated that CoinDesk has been in contact with UFC.

UFC fighter Vitor Belfort via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about